FIPS validation is basically a blessing from a High Priest Of The CMVP. If anything changes from what was blessed, the blessing goes away, unless the changes are blessed by the same or another High Priest. Knowing that, the following answers are obvious.
1) They don't. The FIPS module only implements the cryptographic primitives, not any of the stuff that relies on those primitives. There were plans for a "rolling validation", where fixes are rolled into the next validation effort, but I haven't heard anything from the Open Source Software Institute about that. My fear is that they have no funding for such an effort. 2) The security policy *MUST BE FOLLOWED EXACTLY*, with no modifications to the source files. Different versions of Linux have no problems. (Hypothetically speaking, if the OpenSSL FIPS Module 1.2 was built on a Linux kernel 0.94 on an i386 with gcc 2 and following the security policy precisely, the FIPS module is valid on all Linux x86 systems.) 3) No. You can, however, use the OpenSSL FIPS Module 1.2 as a base, make the changes you need for cross-compilation and such, and then get the result blesse^Wvalidated. -Kyle H On Fri, Aug 14, 2009 at 12:54 PM, Pandit Panburana<ppanb...@yahoo.com> wrote: > Hello, > I have a few questions about the FIPS module. > 1) The current version of OpenSSL FIPS Module is 1.2. It is based on > 0.9.8e and 0.9.8f of standard OpenSSL. The latest stable version is > 0.9.8k. How are fixes get into validated FIPS module? > 2) The current procedure suggests that the FIPS module is built on the > same target platform of the application. Is it possible that the target > platform is different than the building platform but they both are x86 base > platforms (here OS is Linux but may have different version)? > 3) Is there any work around for cross compilation? > Thank you, > -Pandit > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
